Download our CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
CMMC Deep Dive: 5 Common Access Control Mistakes
Key take-aways:
The first family in NIST SP 800-171r2, Access Control, is one of the most essential for organizations seeking CMMC certification
Five common mistakes organizations make in meeting these requirements are outlined in this post
These mistakes include:
- A policy not matching reality
- A failure to properly define CUI flow
- Too many privileged users with too many privileges
- A lack of MFA discipline
- A failure to provide documentation
Ron Ross, co-author of the NIST SP 800-53 and subsequent CUI standards, calls the Access Control family the heart of what protecting data is all about. Without strong access control policies, a bad actor can sometimes access sensitive data undetected. Preventing these scenarios helped spark the development of CMMC in the first place. The Access Control family in NIST SP 800-171r2 rests under 3.1, and the family numbers 22 requirements. As important as this family is, many organizations make errors that can halt their CMMC assessments. Here are five common mistakes organizations make in working toward meeting these requirements.
Mismatch Between SSP and Reality
Organizations work hard on their System Security Plans because they want to show assessors immediately that they have all cybersecurity bases covered. Unfortunately, when an assessor asks to see proof of policies in action, the plan can fall apart. Some organizations create detailed plans, but they forget to implement those plans in reality. As an example, perhaps the SSP states that the organization implements a quarterly user review, but documentation shows management has not conducted a user review for two years.
Properly Defining CUI Flow
Access Control is about who can access CUI, how they can access CUI, and why they should be able to access CUI. This applies to both people and devices. In the interest of protecting CUI as much as possible, some organizations state that the entry point of CUI into the organization is the only place CUI can rest. This means the shop floor cannot access the information according to the policy. It is important for organizations to determine how CUI needs to flow through the organization before developing policies around protecting that data.
Too Many Privileges for Too Many People
Sometimes organizations adopt an “all or nothing” approach to permissions. If an organization offers permissions to a lot of team members, it is easier for a bad actor to infiltrate the system. The concept of least privilege must be present, and the organization must document who can access what data and why.
Multi-Factor Authentication Lack of Discipline
Many SSPs outline clear policies about MFA. Sometimes a CMMC assessor finds that while these policies exist, there is no way to ensure users are using MFA. Alternatively, users may be using MFA to access some data but not all data. This traces back to the problem of adhering to an SSP in reality. An organization seeking CMMC certification must be able to illustrate how they are ensuring users across the organization are using MFA properly.
Speaking of Documentation
Perhaps the most common mistake in CMMC assessments across all of the control families is a failure to document everything. Remember, the requirements in NIST SP 800-171r2 do not tell the entire story of what an organization must comply with. Assessment objectives comprise the core of compliance. An assessor may say, “Don’t tell me, show me.” For the Access Control family, this means showing your regularly audited list of privileged access users, showing your MFA logs, and more.
How Can Smithers Help?
Access Control is often the first thing an assessor will review with you. Sometimes an assessor will find while reviewing this first family that the organization is not ready to continue with the assessment. Making sure the organization is ready for this review is essential. What questions do you have?